Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Giles Heron

2023-04-21

Media Streaming Mesh is an open-source project that enables real-time media in Kubernetes by deploying real-time media proxies to each Kubernetes node, with a per-cluster control plane ensuring that camera feeds, real-time micro-services, and external viewers are meshed together through the proxies.

• Real-time media applications require minimal loss and jitter when forwarding multi-gigabit media streams between different stages of the media ingest pipeline.
• Media Streaming Mesh addresses these use cases in a cloud-native fashion by deploying real-time media proxies to each Kubernetes node.
• Media Streaming Mesh enables distribution of a video feed to multiple downstream applications in a Kubernetes cluster.
• The media industry has multiple steps in media production, including contribution, encoding, distribution, and final delivery to users.
• Internet streaming works by making HTTP requests and receiving a media playlist with a handful of segments, leading to a trade-off between latency and reliability.

Conference:  Global AppSec Dublin 2023

Authors: Dr. Luca Compagna

2023-02-16

The presentation discusses the challenges of using commercial and open source tools for static analysis of code vulnerabilities and proposes a framework for improving the effectiveness of such tools.

• Commercial and open source tools for static analysis of code vulnerabilities have limitations in detecting all vulnerabilities
• The presented framework involves using patterns and discovery rules to improve the effectiveness of static analysis tools
• Transformation experiments were conducted to improve the testability of patterns
• The framework can be improved by adding custom rules and integrating other open source tools
• The community is invited to contribute to the project and help improve the framework

Conference:  Global AppSec San Francisco 2022

Authors: Javan Rasokat

2022-11-18

This talk deals with ‘race conditions’ in web applications. From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big "research gap" and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios. As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the developed race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities.  The learning objects are:1. Introduction to the Race Condition and TOCTOU vulnerabilities, how they work and why exploiting them can be attractive to an attacker, how little is known about them and perhaps too often overlooked in penetration testing.2. How easily the vulnerability exists in various web programming languages. And in which frameworks the vulnerabilities exist by default (example of a vulnerable PHP code snippet with race condition - "would you find it in a code review?").3. Why our existing toolset consisting of DAST/SAST!/RASP/WAF etc. has difficulty preventing or detecting these vulnerabilities, and why it is necessary to look for race condition vulnerabilities as part of a penetration test.4. Actual and impressive attack scenarios from bugbounty reports have been implemented in a vulnerable demo application and will be attacked during a live demo. The audience with the mindset of a breaker will learn how to test for race conditions during penetration testing.

Conference:  OWASP 20th Anniversary Event

Authors: Phu H. Phung

2021-09-24

Abstract:​Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin.  Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.​​​

Conference:  OWASP 20th Anniversary Event

Authors: Florian Stahl

2021-09-24

The speaker presents the top 10 risks to web application security and privacy, and discusses the challenges faced in creating version 2.0 of the list.

• The speaker presents the top 10 risks to web application security and privacy, including injection, broken authentication and session management, cross-site scripting, and security misconfiguration.
• Insufficient data quality is also a privacy concern, as incorrect data can lead to issues such as incorrect credit ratings or package delivery.
• Missing or insufficient session expiration is a commonly overlooked risk that can allow providers to collect data from devices without user knowledge.
• Creating version 2.0 of the list was challenging due to finding volunteers, deciding on which risks to include, and determining the appropriate level of abstraction.
• Translations and countermeasures for version 2.0 are still being worked on, and the speaker encourages spreading awareness and implementing the list in practice.